NASA is requiring whole disk encryption for all of its workers’ laptops after a recent breach. In a memo, the agency informed workers that a laptop that had been stolen contained unencrypted employee personal information.
SpaceRef posted a copy of the internal memo about the incident, which read, “On October 31, 2012, a NASA laptop and official NASA documents issued to a Headquarters employee were stolen from the employee’s locked vehicle. The laptop contained records of sensitive personally identifiable information (PII) for a large number of NASA employees, contractors, and others. Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals. We are thoroughly assessing and investigating the incident, and taking every possible action to mitigate the risk of harm or inconvenience to affected employees.”
InformationWeek’s Mathew J. Schwartz reported, “In addition to now implementing full-disk encryption software for NASA laptops, [NASA’s Richard J.] Keegan said NASA will pay ID Experts to notify people who’ve been affected by the breach, and to provide identity theft and credit monitoring services. Anyone affected will be notified about the breach via a written, mailed letter — but not by email or phone, he said.”
PCMag’s Chloe Albanesius noted, “This is not the first time NASA has lost a laptop with sensitive information. In February testimony before the House, Inspector General Paul Martin informed members of Congress that an unencrypted laptop was stolen from NASA in March 2011. It contained codes to control the International Space Station, and was just one of ‘5,408 computer security incidents [in 2010 and 2011] that resulted in the installation of malicious software on or unauthorized access to [NASA] systems,’ Martin said.”
Nicole Perlroth from The New York Times wrote, “Given its history, it is unclear why the agency has not stepped up its security practices. Beth Dickey, a NASA spokeswoman, said that in this most recent case, the employee’s laptop had been for a security upgrade. ‘The laptop was scheduled to receive encryption, as part of an ongoing, agency-wide effort to encrypt whole disks of all NASA computers,’ Ms. Dickey said. ‘This one just hadn’t been done yet.’ NASA has said it plans to have all of its laptops running whole-disk encryption software by Dec. 21.”